Simplesamlphp as idp and aws as sp
689 views
Skip to first unread message
NuwaN Gajanayaka
Jul 25, 2014, 8:37:37 AM7/25/14
to simple...@googlegroups.com
Hi guys,
using the SDK we create iamClent object and successfully create SAMLProvider using IDP metadata file.
We used this architecture for our task. ( http://docs.aws.amazon.com/STS/latest/UsingSTS/images/SAML-flow-API.png)
in this number 3 link(in the image) we have to create SAML Assertion. these are the Required parameters for number 3 link.
- (a). PrincipalArn : The Amazon Resource Name (ARN) of the SAML provider in IAM that describes the IdP.
- (b). RoleArn: The Amazon Resource Name (ARN) of the role that the caller is assuming.
- (c). SAMLAssertion: The base-64 encoded SAML authentication response provided by the IdP.
- now we have (a) and (b) parameters, but we haven't find third (c) parameter. How to create this assertion from my IDP? what the configurations for assertion? is it possible to generate it from our IDP?
Jaime Pérez Crespo
Jul 28, 2014, 4:45:54 AM7/28/14
to simple...@googlegroups.com
Hi,
On 25 Jul 2014, at 14:37 pm, NuwaN Gajanayaka <mvn...@gmail.com> wrote:
> Hi guys,
>
> we create a SAML IDP in our side as this document https://simplesamlphp.org/docs/stable/simplesamlphp-idp and installed the AWS SDK (php) on the our project.
>
> using the SDK we create iamClent object and successfully create SAMLProvider using IDP metadata file.
> We used this architecture for our task. ( http://docs.aws.amazon.com/STS/latest/UsingSTS/images/SAML-flow-API.png)
>
>
>
What I’m wondering here is what role does the “client app” take. Is that a web application of your own?
> what the configurations for assertion?
You don’t “configure” assertions either. Assertions are issued according to the attributes pertaining the authenticating principal, and of course according to the specifics of the IdP (i.e.: the certificate used to sign it).
> is it possible to generate it from our IDP?
Issuing assertions is the main purpose of an IdP ;-)
--
Jaime Pérez
UNINETT / Feide
mail: jaime...@uninett.no
xmpp: ja...@jabber.uninett.no
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
On 25 Jul 2014, at 14:37 pm, NuwaN Gajanayaka <mvn...@gmail.com> wrote:
> Hi guys,
>
> we create a SAML IDP in our side as this document https://simplesamlphp.org/docs/stable/simplesamlphp-idp and installed the AWS SDK (php) on the our project.
>
> using the SDK we create iamClent object and successfully create SAMLProvider using IDP metadata file.
> We used this architecture for our task. ( http://docs.aws.amazon.com/STS/latest/UsingSTS/images/SAML-flow-API.png)
>
>
>
> in this number 3 link(in the image) we have to create SAML Assertion. these are the Required parameters for number 3 link.
>
> (a). PrincipalArn : The Amazon Resource Name (ARN) of the SAML provider in IAM that describes the IdP.
> (b). RoleArn: The Amazon Resource Name (ARN) of the role that the caller is assuming.
> (c). SAMLAssertion: The base-64 encoded SAML authentication response provided by the IdP.
> now we have (a) and (b) parameters, but we haven't find third (c) parameter. How to create this assertion from my IDP?
You don’t create assertions. The IdP creates them upon request. You need to send a SAML authentication request to the endpoint specified by the IdP, and then the IdP will authenticate the user and send a SAML response (with a SAML assertion inside) back to the originating service provider.
>
> (a). PrincipalArn : The Amazon Resource Name (ARN) of the SAML provider in IAM that describes the IdP.
> (b). RoleArn: The Amazon Resource Name (ARN) of the role that the caller is assuming.
> (c). SAMLAssertion: The base-64 encoded SAML authentication response provided by the IdP.
> now we have (a) and (b) parameters, but we haven't find third (c) parameter. How to create this assertion from my IDP?
What I’m wondering here is what role does the “client app” take. Is that a web application of your own?
> what the configurations for assertion?
> is it possible to generate it from our IDP?
--
Jaime Pérez
UNINETT / Feide
mail: jaime...@uninett.no
xmpp: ja...@jabber.uninett.no
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
NuwaN Gajanayaka
Jul 29, 2014, 2:57:31 AM7/29/14
to simple...@googlegroups.com
HI Jaime,
Thank you for your reply. more about questions..
What I’m wondering here is what role does the “client app” take. Is that a web application of your own?
> Actually this is an API for mobile application. The mobile application(client) can upload images and videos(to aws s3 buckets). We stored user details on API (currently we using mongoDB)
You don’t “configure” assertions either.
> Yes, i didn't. can you please send a link or steps list for do this.
Issuing assertions is the main purpose of an IdP ;-)
> yes, its true. i am sorry to have confused you. Actually i mean we didn't use LDAP or SAML SSO for this, only i want to set Authentication(using IAM) for uploading S3 buckets and objects.
Thanks
Nuwan
Jaime Pérez Crespo
Jul 29, 2014, 3:51:42 AM7/29/14
to simple...@googlegroups.com
Hi Nuwan,
On 29 Jul 2014, at 08:57 am, NuwaN Gajanayaka <mvn...@gmail.com> wrote:
> HI Jaime,
> Thank you for your reply. more about questions..
>
> What I’m wondering here is what role does the “client app” take. Is that a web application of your own?
> > Actually this is an API for mobile application. The mobile application(client) can upload images and videos(to aws s3 buckets). We stored user details on API (currently we using mongoDB)
Now I’m completely lost. Do you mean you are developing a mobile application (the "client app”), and you need to use an API (AWS) to do your stuff, and the API requires you a SAML response for authentication?
> You don’t “configure” assertions either.
> > Yes, i didn't. can you please send a link or steps list for do this.
To do what exactly? If you’ve followed the IdP documentation (which you did according to your first message), then that’s it.
> Issuing assertions is the main purpose of an IdP ;-)
> > yes, its true. i am sorry to have confused you. Actually i mean we didn't use LDAP or SAML SSO for this, only i want to set Authentication(using IAM) for uploading S3 buckets and objects.
Then, what’s the purpose of using SimpleSAMLphp here?
My understanding according to the previous diagram is that Amazon delegates identity management to the user of the API. It is then the responsibility of the user to set up (or integrate) a SAML Single-Sign-On that can be used by the applications to authenticate the user to the API. But you should really provide more information or ask Amazon for it, because I don’t really know how Amazon handles all of this (maybe others in this list can help you better). At first sight, here’s several questions you’ll need an answer for:
- Does the client issue a SAML request to the IdP, or is it just a normal HTTP request and therefore this is IdP-initiated authentication?
- If you have to forward the SAML response to the STS according to the figure, does that mean that it is the STS the Service Provider in this scenario?
- Does the STS require signatures / encryption of the SAML assertions / responses?
- What attributes does the STS need to identify the user?
Also, bear in mind that SAML SSO is front-channel, that is, the entire flow happens through the web browser. That means your client app should behave like a web browser indeed.
On 29 Jul 2014, at 08:57 am, NuwaN Gajanayaka <mvn...@gmail.com> wrote:
> HI Jaime,
> Thank you for your reply. more about questions..
>
> What I’m wondering here is what role does the “client app” take. Is that a web application of your own?
> > Actually this is an API for mobile application. The mobile application(client) can upload images and videos(to aws s3 buckets). We stored user details on API (currently we using mongoDB)
> You don’t “configure” assertions either.
> > Yes, i didn't. can you please send a link or steps list for do this.
> Issuing assertions is the main purpose of an IdP ;-)
> > yes, its true. i am sorry to have confused you. Actually i mean we didn't use LDAP or SAML SSO for this, only i want to set Authentication(using IAM) for uploading S3 buckets and objects.
My understanding according to the previous diagram is that Amazon delegates identity management to the user of the API. It is then the responsibility of the user to set up (or integrate) a SAML Single-Sign-On that can be used by the applications to authenticate the user to the API. But you should really provide more information or ask Amazon for it, because I don’t really know how Amazon handles all of this (maybe others in this list can help you better). At first sight, here’s several questions you’ll need an answer for:
- Does the client issue a SAML request to the IdP, or is it just a normal HTTP request and therefore this is IdP-initiated authentication?
- If you have to forward the SAML response to the STS according to the figure, does that mean that it is the STS the Service Provider in this scenario?
- Does the STS require signatures / encryption of the SAML assertions / responses?
- What attributes does the STS need to identify the user?
Also, bear in mind that SAML SSO is front-channel, that is, the entire flow happens through the web browser. That means your client app should behave like a web browser indeed.
NuwaN Gajanayaka
Jul 29, 2014, 5:54:40 AM7/29/14
to simple...@googlegroups.com
Hi jaime,
sorry for your lost :)
I changed the architecture image according to our solution(to get clear idea). In simpleSamlPhp we added customize module to authenticate users form our database.(mongoDB user database). according to image client app (mobile application) storing user stuffs on mongodb database using back-end API. Is it possible to get client SAML assertion( number 3 request ) to our API ?
Reply all
Reply to author
Forward
0 new messages